Files on an NTFS partition can contain different streams. ---------------------------------------------------------------------------- The variable length structure returned by ZwQueryInformationFile : typedef struct _FILE_STREAM_INFORMATION { ULONG NextEntryOffset; // Entries are DWORD aligned so there may be padding bytes after the end of the name. ULONG StreamNameLength; // No NULL is provided _int64 FileSize; // Bytes of data in the stream. _int64 Unknown; // WCHAR StreamName[1]; // of the form :streamname:streamtype where streamtype = "$DATA" } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; ---------------------------------------------------------------------------- How to call ZwQueryInformationFile (ntdll.lib) and interpret the information. NTSTATUS status; IO_STATUS_BLOCK IoStatusBlock; char buffer[4096],*buf; PFILE_STREAM_INFORMATION fsi; DWORD StreamCount=0; status=ZwQueryInformationFile(h, // Handle to file - opened with read access &IoStatusBlock, buffer, 4096, // size of buffer FileStreamInformation); // From ntddk.h // error checking? buf=buffer; fsi=(PFILE_STREAM_INFORMATION)buf; wprintf(L"\n\n%s\n",filename); do { StreamCount++; wprintf(L"NextOffset = %lu bytes\nNameLength = %lu bytes\nFileSize = %I64d bytes in stream\nUnknown = 0x%016I64x (%I64d)\nName = %*.*s\n\n", fsi->NextEntryOffset, fsi->StreamNameLength, fsi->FileSize, fsi->Unknown,fsi->Unknown, fsi->StreamNameLength/2,fsi->StreamNameLength/2, fsi->StreamName); if(fsi->NextEntryOffset==0) break; buf+=fsi->NextEntryOffset; fsi=(PFILE_STREAM_INFORMATION)buf; } while(1); printf("%lu %s\n\n",StreamCount,(StreamCount > 1) ? "streams" : "stream"); } ---------------------------------------------------------------------------- Sample output : NextOffset = 40 bytes NameLength = 14 bytes FileSize = 50 bytes in stream Unknown = 0x0000000000000038 (56) Name = ::$DATA All files have this one NextOffset = 48 bytes NameLength = 24 bytes FileSize = 12 bytes in stream Unknown = 0x0000000000000010 (16) Name = :abcde:$DATA These others are my own NextOffset = 48 bytes NameLength = 24 bytes FileSize = 100 bytes in stream Unknown = 0x0000000000000068 (104) Name = :qwert:$DATA NextOffset = 0 bytes therefore this is the last NameLength = 26 bytes FileSize = 24 bytes in stream Unknown = 0x0000000000000018 (24) Name = :thingy:$DATA ---------------------------------------------------------------------------- Last updated 25th August '96 Personal jon@brilig.demon.co.uk Work jedwards@drsolomon.com